summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-05-09ipoe: Fix send NAK for REQUEST with 3 same XID for not existing sessionsDmitriyEshenko
2019-05-09Add information about [common] sectionDmitriyEshenko
2019-05-09Add information [modules]log_syslog and [ipoe]offer-timeoutDmitriyEshenko
2019-03-08initialize ssl_halen = ETH_ALEN in sockaddr_ll structuresDmitry Kozlov
2019-03-08ippool: always initialize mask = 0Dmitry Kozlov
2019-03-08radius: fixed bug (inserting empty Class)Dmitry Kozlov
2019-02-12ipoe: always ignore Gratoitous ARPDmitry Kozlov
2019-02-06Merge pull request #61 from konqueror1/patch-1xebd
Add accel-ppp.service so systemd can work
2019-02-06Merge pull request #69 from themiron/ipoe-dhcp-radius-fixxebd
ipoe: group dhcp options & wins support
2019-02-02ipoe: dhcpv4: add wins1/wins2 config options supportVladislav Grishenko
2019-02-02ipoe: dhcpv4: fix dhcp reply with dns1 unset, dns2 setVladislav Grishenko
2019-02-02ipoe: dhcpv4: group radius array attrs into one dhcp optionVladislav Grishenko
2019-01-28Merge pull request #68 from DmitriyEshenko/masterxebd
ipoe: fix start=up not work if set not per-interface and proxy-arp=0
2019-01-27ipoe: fix start=up not work if set not per-interfaceDmitriyEshenko
2019-01-25Merge pull request #67 from themiron/ipoe-start-fixxebd
ipoe: log invalid start values and fix dist config
2019-01-23ipoe: log invalid start values and fix dist configVladislav Grishenko
2019-01-22shaper: small fix for previous commitDmitry Kozlov
2019-01-21shaper: ignore radius CoA request if shaper attributes are absentDmitry Kozlov
2019-01-21Merge pull request #65 from themiron/sstpxebd
sstp: fix proxy-protocol-v2 sanity checks
2019-01-21Merge pull request #64 from themiron/warn-fixesxebd
warning fixes
2019-01-19sstp: fix proxy-protocol-v2 sanity checksVladislav Grishenko
2019-01-19ipoe/vlan_mon: add check for already loaded moduleVladislav Grishenko
2019-01-19ipoe/cli: fix build warningsVladislav Grishenko
2018-12-20ipoe: stricter route deletionGuillaume Nault
Rework the conditionals to make __ipoe_session_activate() and ipoe_session_finished() follow the same logic: * Drop the second '!serv->opt_ifcfg' test in __ipoe_session_activate(), which is is already checked by the parent conditional. * Invert the order of the tests in ipoe_session_finished(), so that it uses the same conditions as __ipoe_session_activate(). Finally, set the 'src' parameter in iproute_del(), so that we can be sure that the deleted route matches the one added by __ipoe_session_activate(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-20iputils: remove unnecessary NLM_F_ACKGuillaume Nault
Using NLM_F_ACK in these functions is confusing because they don't parse any netlink response. In fact, NLM_F_ACK is only required internally by rtnl_talk(), which already adds it when its 'answer' parameter is NULL. Therefore it's useless to manually set it in functions that don't set 'answer'. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-20iputils: remove NLM_F_CREATE flag from ip6{route,addr}_del()Guillaume Nault
These are deletion requests. NLM_F_CREATE is confusing for readers and ignored by kernel. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-20iputils: always set scope to RT_SCOPE_UNIVERSE in ip6route_{add,del}()Guillaume Nault
No need to be clever here. All IPv6 routes have global scope (kernel ignores rtm_scope for IPv6 and always reports RT_SCOPE_UNIVERSE when dumping such routes). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-20iputils: set scope depending on gateway in iproute_{add,del}()Guillaume Nault
From a logical point of view, we have link scope if no gateway is present, and global scope otherwise. Therefore it makes more sense to set rtm_scope depending on 'gw' rather than on 'ifindex'. Currently, callers of iproute_add() and iproute_del() either set 'ifindex' or 'gw', but never both. So even if confusing, the current code results in right scope selection. However one can't figure this out without analysing every caller. We should set rtm_scope based on the presence of the gateway instead. Given the current code base, that doesn't change the end result, but that better maches the scope concept. Also, that's the way iproute2 does its selection. Furthermore, it'd be perfectly valid to have both 'iface' and 'gw' set. In that case, scope should be RT_SCOPE_UNIVERSE instead of RT_SCOPE_LINK. Basing scope selection on 'gw' makes this case work correctly. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-20radius: specify gateway in iproute_del()Guillaume Nault
Be more specific about which route we want to remove. By not specifying the gateway we could remove a different route than the one we originally inserted. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-20iputils: add 'src' and 'gw' parameters to iproute_del()Guillaume Nault
Rework iproute_del() to have the same parameters as iproute_add(). This will allow callers to specify more precisely the route they want to delete. Callers will later be converted to make use of these parameters to ensure that the removed route precisely matches the one that was originaly inserted. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-08iprange: rework range parsing using u_parse_*() functionsGuillaume Nault
Now that we have primitives for parsing IPv4 ranges, let's use them to simplify parse_iprange(). Try u_parse_ip4cidr() first. In case of failure, try u_parse_ip4range(). If any of them succeeds, verify that there aren't spurious data following the range definition. If everything is valid, either load the range or disable the module (if the range is 0.0.0.0/0). The diff is a bit ugly, but the implementation should be much clearer. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-08utils: add IPv4 string parsing helpersGuillaume Nault
Define the IPv4 counterparts of u_ip6str() and u_parse_ip6cidr(). Also add the special u_parse_ip4range() which will be useful for parsing the [client-ip-range] section of accel-ppp.conf. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-08utils: rework u_parse_ip4addr()Guillaume Nault
Redefine u_parse_ip4addr() to match the behaviour of other u_parse_*() functions: * Drop the err_msg parameter. * Return the number of bytes parsed instead of an error number. * Remove support for fancy IPv4 address notations. There is currently only one user of u_parse_ip4addr() (in iprange.c). Dropping the fancy IPv4 address representations is probably not going to harm anyone (quite the opposite as many users don't realise that leading 0 means octal and that plain integers can be considered IPv4 addresses). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-08utils: fix typo in description of u_parse_endstr()Guillaume Nault
u_parse_endstr() used to be u_parse_eos() in my internal repository. I forgot to update the documentation when I renamed it. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-06Add accel-ppp.service so systemd can workkonqueror1
2018-12-04radius: implement Framed-IPv6-Route attributeGuillaume Nault
Framed-IPv6-Route is the IPv6 counterpart of Framed-Route. It's only used for defining routes to be added locally by accel-ppp. Routes that should be announced to the peer using Router Advertisements should be defined in the Route-IPv6-Information attribute (but that's currently not implemented). Framed-IPv6-Route format is: <network in CIDR notation> [<gateway IPv6 address> [<route metric>]] The gateway address and the route metric are optionals, but the metric can only be set if a gateway address is given. One can use the unspecified address '::' to define a route with no gateway and a non-default route metric. When no gateway address is defined, the session's network interface is used directly. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-04utils: add string parsing helpersGuillaume Nault
Define parsers for IPv6 addresses and CIDR notations, unsigned integers, separators (variable number of space characters) and end of strings (variable number of spaces followed by '\0'). All of these functions work on constant string and return the number bytes parsed. If the input string doesn't have the expected format, these functions return 0 (no forward progress). Also implement a convenient wrapper around inet_ntop() that can be used easily in printf-like functions. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-04libnetlink: add gateway and priority parameters to ip6route_*()Guillaume Nault
Let callers set a gateway and a priority to IPv6 routes. This is necessary for implementing the RADIUS Framed-IPv6-Route attribute. Also let ip6route_del() configure .rtm_protocol. This is already implemented in ip6route_add(), so we need to add the ip6route_del() counterpart. Otherwise, we couldn't delete routes that were added using a non-zero protocol. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-12-03Merge pull request #60 from DmitriyEshenko/masterxebd
Add support cpack for Ubuntu18
2018-12-03Add support cpack for Ubuntu18DmitriyEshenko
2018-12-02Merge pull request #59 from DmitriyEshenko/masterxebd
Add support cpack for Ubuntu16
2018-11-30Add support cpack for Ubuntu16root
2018-11-27ppp: use random LCP (and NCP) identifiersGuillaume Nault
In DSL setups, it's common to have an intermediate equipment, potentially managed by a different operator, between the two PPP endpoints. In such setups, the client establishes a PPPoE or L2TP session with the intermediate equipment. They perform LCP negotiation and eventually get to the authentication phase. Based on the client's username, the intermediate equipment then establishes another L2TP session with the final PPP endpoint (accel-ppp). At this point, the intermediate equipment forwards any PPP frame received on one side to the other side, so that it becomes transparent to PPP frames. Then accel-ppp starts an LCP negotiation again, performs authentication, negotiates NCPs and finally forwards IP packets to and from the client. +--------+ +--------------+ +-----------+ | Client |------------------------| Intermediate |--------------------| accel-ppp | | | | equipment | | | +--------+ +--------------+ +-----------+ <-- First hop PPPoE --> <-- Second hop --> or L2TP session L2TP session <----------------- End to end PPP session -----------------> Therefore, from the client point of view, two LCP negotiations occur. LCP re-negotiation is explicitly handled by RFC 1661 and even non-conforming PPP clients generally cope with this situation well enough (as long as LCP re-negotiation occurs before the authentication phase completes). However, accel-ppp always starts its LCP negotiation with an identifier set to 1. If the previous LCP negotiation also used identifier 1, then some clients (at least MikroTik products) consider that the Configure-Request sent by accel-ppp is part of the previous LCP negotiation and refuse to return to link establishment phase as mandated by section 3.4 of RFC 1661. We can easily work around this problem by using random identifiers. This maximises the chances that accel-ppp picks a different identifier than the intermediate equipment and avoids falling into the MikroTik problem. In case of bad luck and the chosen identifier is the same as the one used for the original LCP negotiation, then PPP establishment fails and the client tries to reconnect until the intermediate equipment and accel-ppp pick up different numbers. So the connection eventually succeeds. The identifier is set in ppp_fsm_init(), so it also affects NCPs. Therefore, IPCP and IPv6CP now also use random identifiers. We need to define 'id' and 'recv_id' in struct ppp_fsm_t as uint8_t, otherwise they could be chosen larger than 255 and comparing their value with the 8-bits values found in received packets would fail (this was generally not a problem when id was initially set to 1 and wouldn't grow much). Also, let's seed random() at startup, so that we don't end up with the same sequences across restarts. This also benefits other users of random(), like LCP magic numbers. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-27auth: remove .recv_conf_req from struct ppp_auth_handler_tGuillaume Nault
This callback isn't used anymore. Let's remove it from all authentication backends. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-27lcp: reject Authentication-Protocol option in Configure-Request packetsGuillaume Nault
If we receive a Configure-Request packet, that means the peer wants us to authenticate to him. However, none of our authentication backends (PAP, CHAP and MSCHAP v1/v2) supports authenticating ourself to the peer. Therefore, the LCP negotiation completes, but we hang in the authentication phase because accel-ppp never sends any credential. We should reject the Authentication-Protocol option found in Configure-Request packets sent by the peer. This way, the peer knows that we won't authenticate to him. Then it's up to him to keep connecting without authentication from our side or to drop the connection. This doesn't change the way we request the peer to authenticate to us. That part of the negotiation is handled by Configure-Request packets that are sent by us (not those sent by the peer). In practice some PPP clients wouldn't connect with the previous behaviour, but are perfectly happy with their Authentication-Protocol option being rejected. They just resend their Configure-Request without requesting authentication from our side. Also, since the peer_auth field of struct auth_option_t is never set anymore, we can remove the conditionals in auth_recv_conf_nak() and auth_recv_conf_rej(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-16Remove redundant openssl includeGuillaume Nault
The openssl/ssl.h header file is already included at the beginning of this file. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-16Add --no-sigsegv option to accel-pppdGuillaume Nault
It's often useful to let a program crash on SIGSEGV and let an external daemon, like monit or systemd, restart it when needed. This allows to generate core dumps and do post-mortem analysis based on the collected traces. This patch add the new '--no-sigsegv' option to disable accel-ppp's SIGSEGV handler and use the system's core(5) mechanism instead. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-16Don't wait for non-blocked signalsGuillaume Nault
SIGSEGV, SIGILL, SIGFPE and SIGBUS aren't blocked, but they're added to the set of signals passed to sigwait(). This is confusing (should these signals be consumed by sigwait() or by their respective signal handler?) and is undefined according to the POSIX man page (http://man7.org/linux/man-pages/man3/sigwait.3p.html). In practice, sigwait() was only triggered when manually sending the signals to accel-pppd ("pkill -FPE accel-pppd"). On normal circumstances though, these signals are triggered by invalid operations run by the program. In these cases the signal handler was run and sigwait() wasn't woken up. So let's remove SIGSEGV, SIGILL, SIGFPE and SIGBUS from the set passed to sigwait(). This simplifies the code, avoids undefined behaviour and doesn't change accel-ppp behaviour for real-world use cases. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-12ipcp: reject *-NBNS-Address if we have no value to proposeGuillaume Nault
If wins_opt->addr is NULL, then we have no address to propose (none defined in accel-ppp.conf and none provided by RADIUS). Currently, in that case, accel-ppp accepts and acks the address found in the peer's configuration request. But the peer would normally use the undefined IP address, so if we ack it, we explicitely tell the peer that 0.0.0.0 is the primary/secondary NBNS server. If the peer already knows a NBNS server IP address, it doesn't have to negociate it with accel-ppp. It can just use it directly, after it retrieved its own IP address. Therefore there is no need for accel-ppp to blindly accept addresses proposed by the peer. This patch rejects *-NBNS-Address if accel-ppp has no NBNS server to propose, making it explicit to the peer that its request can't be satisfied. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
2018-11-12ipcp: fix uninitialised memory access when negociating *-NBNS-AddressGuillaume Nault
When handling the EV_WINS event, IPCP assumes that the ->wins1 and ->wins2 fields of the event structure are properly set. But that may not be the case. If only one of the MS-Primary-NBNS-Server or MS-Secondary-NBNS-Server RADIUS attributes was received, then only ->wins1 or ->wins2 is set, while the other keeps a non initialised value. This uninitialised value is then copied by ev_wins() and proposed to the peer when negociating the Primary-NBNS-Address or Secondary-NBNS-Address IPCP options. That leaks four bytes of the stack to the network and prevents using the values found in the [wins] section of accel-ppp.conf as fallback. Fix this by initialising the whole event structure in rad_proc_attrs(). Then, in ev_wins(), we can check if ->wins1 or ->wins2 is properly set before copying them. That allows to propery fallback to accel-ppp.conf values when one of the values was not provided by RADIUS. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>